Zeljka Zorz - Managing EditorMarch 2, 2016 For the last year or so, Rapid7 has been collecting login credentials via “Heisenberg,” a network of low-interaction honeypots that the company has set up to analyze login attempts by random, opportunistic actors.
The honeypots emulate the authentication handshakes of several protocols, but nothing more than that, so the motives of the “attackers” are unknown. But the recorded login attempts give insight into the top attempted usernames, passwords, and username:password combinations.
The recently released report that the company has compiled in the wake of this research has concentrated on login attempts coming through the Remote Desktop Protocol (RDP).
“RDP enables remote desktop-based control of home, office, POS, and kiosk systems, and is often enabled intentionally and legitimately by those systems’ owners, since it is sometimes considered as a secure alternative to a Virtual Private Network (VPN) connection,” the researchers explaine. “RDP is also a popular management interface for some Windows-based Point-Of-Sale (POS) systems.”
In fact, a recent Internet-wide scan the company made revealed nearly 11 million IP addresses listening for 3389/ TCP, the default port for RDP, which means that there is a huge number of targets waiting to get popped.
Expectedly, the most tried usernames are administrator and Administrator, followed by user1. pos, db2admin and sql are also in the top 10, pointing to attackers looking for Point of Sale systems and internet-facing databases.
A list of top ten passwords is a bit more interesting (and not the usual list of most commonly chosen passwords by users):
full article here:
